Advanced Search

Organisations

General

Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.

This includes unique identifiers (e.g. NRIC number, passport number); photographs or video images of an individual (e.g. CCTV images); as well as any set of data (e.g. name, age, address, telephone number, occupation, etc), which when taken together would be able to identify the individual. For example, Jack Lim, 36 years old, civil servant, lives at Blk 123 Bishan St 23.

The PDPA was implemented in phases to allow time for organisations to adjust to the new law. The Do Not Call (DNC) Registry provisions came into force on 2 January 2014 and the personal data protection provisions came into force on 2 July 2014.

The data protection provisions govern the collection, use and disclosure of personal data by organisations. In brief, the PDPA contains three main sets of data protection obligations:

Obligations relating to notification, consent and purposeOrganisations must notify their purposes and obtain consent from individuals for the collection, use and disclosure of individuals’ personal data.

Obligations relating to compliance, accountability and access and correction Organisations must make information available about their data protection policies, appoint a data protection officer, give individuals access to their personal data (upon request) and allow individuals to correct their personal data (also upon request).

The PDPA also provides for the establishment of a DNC Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations. You may refer to our website for more information on the data protection and DNC provisions.

The PDPA aims to safeguard individuals’ personal data against misuse by regulating the proper management of personal data. Generally, individuals have the right to be informed of the purposes for which organisations are collecting, using or disclosing their personal data, giving them more control over how their personal data is used.

The PDPA also aims to enhance Singapore’s competitive advantages as a location for data hosting and management activities by strengthening Singapore’s reputation as a secure location for data and giving assurance to businesses looking for safeguards to protect sensitive data sets.

The PDPA will strengthen Singapore's overall economic competitiveness and enhance Singapore's status as a trusted hub and choice location for global data management and processing services.

The law will provide greater clarity on the rules and liabilities for businesses hosting personal data in Singapore. This will complement Singapore's existing strengths, such as geographical location, reliability and advanced telecommunications infrastructure, to create a conducive environment for the fast-growing global data management and data processing industries, such as cloud computing, to thrive in Singapore.

The law will also put in place safeguards to protect data sets, which will help facilitate the smooth transfer of data to and from jurisdictions that have enacted data protection laws, many of which place obligations on organisations to ensure sufficient protection for transfer of data overseas. These safeguards serve as an attractive draw for cloud computing and business analytics activities to be located in Singapore. Compliance with the regime also sends a positive message and builds trust and credibility with consumers. Organisations will be able to assure their customers that their personal data will be sufficiently protected.

The provisions of the PDPA were formulated keeping in mind the need to keep compliance costs manageable for businesses. A transition period was provided to allow organisations sufficient time to phase in the necessary measures to comply with the data protection regime.

There may be some costs associated with complying with the PDPA, especially for businesses that have not adopted any data protection practices. Those that already have adequate data protection measures in place should not incur high incremental costs to comply with the new law. The impact on Small and Medium Enterprises (SMEs) should also be minimal if they do not collect, process or hold on to large amounts of personal data.

The costs should be viewed against the benefits of having such a law. As data protection legislation is increasingly seen as a basic feature in an economy's legal framework, the lack of a data protection regime potentially hinders the flow of information across borders, and disadvantages Singapore businesses in the global economy.

The Spam Control Act (SCA) sets out a framework to manage unsolicited commercial electronic messages sent in bulk through electronic mail, text and multimedia messaging, otherwise known as "spam". The SCA requires organisations to, among others, provide an unsubscribe facility within the spam message and include a header in the subject field of the message or where there is no subject field, as the first words in the message.

While the SCA manages the sending of spam messages, the PDPA sets out rules governing the proper collection, use and disclosure of personal data, which would include contact information of an individual. Under the PDPA, organisations are required to obtain consent for a stated purpose to collect, use or disclose the personal data of an individual, and safeguard such data, unless exceptions apply.

In addition, the provisions relating to the DNC Registry in the PDPA allow individuals to opt out of marketing messages (voice calls, SMS/MMS or fax) delivered to a Singapore telephone number. Organisations are generally prohibited from sending marketing messages to Singapore telephone numbers registered with the DNC Registry unless they have obtained clear and unambiguous consent in written or other accessible form from the user/subscriber to the sending of the message, or if the organisation can rely on the Personal Data Protection (Exemption from Section 43) Order 2013 or any other exclusions.

In relation to the sending of spam messages, the PDPA applies to the collection, use and disclosure of individuals' contact information for such purposes, while the SCA governs the manner in which the spam message may be sent. These frameworks will operate concurrently.

‘Publicly available’ in relation to personal data about an individual, means personal data that is generally available to the public. This includes personal data which can be observed by reasonably expected means at a location or an event – (a) at which the individual appears; and (b) that is open to the public.

An organisation need not obtain consent for the collection, use or disclosure of personal data that is publicly available but may still have to comply with other obligations under the PDPA.

While an organisation may not obtain consent for the collection, use or disclosure of personal data that is publicly available, it may still have to comply with all other obligations under the PDPA.

In particular, the PDPA provides that an organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances. In this regard, the circumstances would need to be taken into account in determining whether the purpose is appropriate.

Given that publicly available personal data is already made available to the public, the PDPC recognises that for the purposes of the PDPA, it would not be practical nor useful to unduly limit the purposes for which such data can be collected, used or disclosed, unless it is for clearly unreasonable purposes, for example, the purpose is in violation of a law or would be harmful to the individual concerned.

In any case, organisations should note that their collection, use or disclosure of personal data from publicly available sources may be bound by terms and conditions imposed and enforceable by the data source.

Publicly available personal data refers to personal data about an individual that is generally available to the public. In some situations, the existence of restrictions or conditions for access to the database may not prevent the data from being publicly available.

For example, where a database is made accessible to the public, the personal data contained in such a database would generally be considered publicly available, even if a nominal fee is payable in order to access the data.

However, whilst the PDPA does not require consent to be obtained for the collection, use or disclosure of publicly available personal data, organisations are reminded to comply with all other obligations of the PDPA.

Personal data is defined under the PDPA as "data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access".

At the point of generation, the randomly generated data, on their own, may not be considered personal data to the organisation if the randomly generated data does not relate to any individual and is unlikely to lead to the identification of any individual. However, the randomly generated data may become personal data if the organisation obtains further information such that the individual can be identified from that data (by itself or in combination with other information that the organisation has or is likely to have access to).

For example, while the randomly generated 8 digit number beginning with '8' or '9', without more information, is not personal data, it may become personal data if the organisation calls the 8 digit number and ascertains that it is a mobile telephone number that is in use.

Similarly, an organisation that randomly generates a NRIC number (e.g. by applying an algorithm or using a validator to ascertain that the randomly generated number is a valid NRIC number) will be considered as having collected the NRIC number. The collection, use or disclosure of such numbers is subject to the treatment set out in the Advisory Guidelines on the PDPA for NRIC and other National Identification Numbers, i.e. organisations may not collect, use or disclose such numbers unless it is required by law or necessary to accurately establish or verify the identity of an individual to a high degree of fidelity.

The PDPA applies to the collection, use or disclosure of personal data of individuals who can be identified from that data, even if that data was randomly generated in the first instance.

Sellers of databases comprising randomly generated numbers beginning with '8' or '9' which have been ascertained to be in use would be considered to be disclosing personal data, and the PDPA would apply. Similarly, those who purchase and use such databases would be considered to be collecting and using personal data, and the PDPA would apply. Among other things, consent of the individual is required for the collection, use or disclosure of the personal data, unless any exception applies.

An individual is deemed to consent to the collection, use or disclosure of personal data by an organisation if the individual voluntarily provides the personal data to the organisation for that purpose; and it is reasonable that he or she would do so.

For example, an individual seeking medical treatment from a medical facility, such as a clinic or hospital, would voluntarily provide his or her personal data for such a purpose. He or she would be deemed to have consented to the collection and use of his or her personal data by the medical facility for that purpose.

There
are a number of requirements that both individuals and organisations need to
take note of. Some of these are:

·The individual must
give reasonable notice of the withdrawal to the organisation.As a general rule of
thumb, ten business days is considered to be reasonable notice.

·On receipt of the
notice, the organisation must inform the individual of the likely consequences
of withdrawing consent. Consequences for withdrawal of consent could simply be
that the organisation would cease to collect, use or disclose the individual’s
personal data for the purpose specified by the individuals. However, if there
are other likely consequences, the organisation must also inform the individual
of those.

·An organisation must
not prohibit an individual from withdrawing consent, although this does not
affect any legal consequences arising from such withdrawal.

·Upon withdrawal of
consent, the organisation must cease (and cause its data intermediaries and agents
to cease) collecting, using or disclosing the personal data, as the case may
be, unless the collection, use or disclosure of the personal data without
consent is required or authorised under the PDPA or any other written law.

Organisations
may provide in their marketing messages a facility for individuals to withdraw
their consent (e.g. by clicking on an “unsubscribe” link within an e-mail).
Organisations are encouraged to clearly indicate the scope of the withdrawal in
such instances. Organisations are also encouraged to inform individuals of how
they may withdraw consent for matters outside the scope of such withdrawal.

In
some cases, individuals may provide organisations a general withdrawal notice
for marketing, i.e. it is not clear as to the channel of receiving marketing
messages for which consent is withdrawn. In such cases, the PDPC would consider
that any withdrawal of consent for marketing sent via a particular channel will
be considered to only apply to all messages relating to the withdrawal sent via
that channel.

These are purposes to do with an individual's personal, family or household affairs. For example, when an individual keeps a database of his or her friends' and relatives' names, addresses, contact numbers and birthdates for his or her own personal use, he or she is considered to be acting in a personal or domestic capacity. His or her keeping of the database will not be covered under the PDPA.

Business contact information (BCI) refers to an individual's name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by him or her solely for personal purposes.

Based on the above definition, BCI is excluded from the data protection provisions of the PDPA. Separately, please note that the DNC provisions generally apply to all Singapore telephone numbers, unless the organisation has obtained clear and unambiguous consent in written or other accessible form from the user/subscriber to the sending of the telemarketing message, or if the organisation can rely on the Personal Data Protection (Exemption from Section 43) Order 2013 or any other exclusions.

An organisation shall be considered a data intermediary if it processes data on behalf of another organisation. If the organisation processes personal data as a data intermediary pursuant to a contract which is evidenced or made in writing, the data protection provisions of the PDPA would impose fewer obligations on the data intermediary, namely those pertaining to protection and retention of personal data.

An example of a data intermediary could be an organisation which merely provides hosting or storage of the personal data for another organisation. Separately, the Electronic Transactions Act provides that a network service provider will not be subject to any liability under the PDPA, in respect of third-party material in the form of electronic records to which it merely provides access.

The data protection provisions in the PDPA (parts III to VI) do not apply to any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data. Public agencies include the Government, any tribunal appointed under any written law and the statutory bodies specified in the Personal Data Protection (Statutory Bodies) Notification 2013. In the handling of personal data, public agencies and such organisations acting on their behalf will be subject to the relevant internal government rules and sector-specific legislation.

If your organisation is a Small and Medium Enterprise (SME), you may wish to consider the Legal Aid Scheme for a one-hour consultation with a qualified legal practitioner from a panel appointed by the Law Society of Singapore (LawSoc) for an initial assessment on the organisation's level of compliance with the PDPA. Please refer to out webpage Help for Organisations or LawSoc's webpage PDPA Legal Advice Scheme for further details.

The PDPC does not provide legal advice. You may refer to our Advisory Guidelines which provide guidance on the manner in which the PDPC will interpret provisions of the PDPA. The guidelines are advisory in nature and do not constitute legal advice. They are legally not binding on the PDPC or any other party. You may wish to engage independent legal advice if you are in doubt.

The PDPC provides only general information and clarification to enquiries. It is important to note that the PDPC does not provide legal or specific advice to your enquiry that may require a certain standard or decision from the PDPC to be made. Our response to your query is not a substitute for legal advice, and is not legally binding on the PDPC or any other party. You may wish to engage independent legal advice if you are in doubt.

If you are unable to find an answer to your query, please submit your Feedback to let us know how we can help you.